Online password guessing attacks on password-only systems have been observed for decades. Present-day attackers targeting such systems are empowered by having control of thousand to million node botnets. In former ATT-based login protocols, there exists a security-useful trade-off with respect to the number of free failed login attempts (i.e., with no ATTs) versus user login convenience (e.g., less ATTs and other requirements). In particular, PHOP is more restrictive against brute force and dictionary attacks while safely allowing a large number of free failed attempts for legitimate users.